| Failing to continuously monitor the network leaves the network vulnerable to attack. The Enclave firewall rules and Access Control Lists should be based on authorized applications being used within the Enclave; all non-required ports and services will be blocked by the most restrictive rules possible. This applies to both Wide Area Network (WAN) to Local Area Network (LAN) interfaces and the LAN to LAN interfaces between different security domains/sub-enclaves. The device must be placed at these boundaries and configured to monitor and to only allow specifically authorized traffic. All other traffic is unauthorized and unusual, and therefore prohibited.
Although only authorized traffic is permitted by source and destination IP address pair and protocol/port, ACLs and simple firewalls that cannot perform deep packet inspection can be “fooled” by malicious traffic masquerading as legitimate traffic. The ports used by this traffic can be normally used by other applications; this makes identifying this traffic beyond the capabilities of a simple ACL or even stateful firewall. If authorized traffic exhibits unusual traffic volumes, it indicates possible traffic masquerading. Therefore, unusual volumes of traffic must be logged and a notification sent to authorized personnel. This can be accomplished by configuring rate limiters to generate log messages when a threshold is met or exceeded or by using capabilities that monitor and export flow information to a centralized collector or console (e.g. Netflow, j-flow, etc.). |
